New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v4.4: feat(listener): TLS partial_chain validation #10553
Merged
qzhuyan
merged 13 commits into
emqx:main-v4.4
from
qzhuyan:dev/william/tls-root-fun-verify-partial-chain
May 10, 2023
Merged
v4.4: feat(listener): TLS partial_chain validation #10553
qzhuyan
merged 13 commits into
emqx:main-v4.4
from
qzhuyan:dev/william/tls-root-fun-verify-partial-chain
May 10, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pull Request Test Coverage Report for Build 4927304571
💛 - Coveralls |
qzhuyan
force-pushed
the
dev/william/tls-root-fun-verify-partial-chain
branch
2 times, most recently
from
May 2, 2023 07:39
d720bc8
to
491a238
Compare
qzhuyan
changed the title
feat(listener): TLS partial_chain validation
v4.4: feat(listener): TLS partial_chain validation
May 3, 2023
zmstone
reviewed
May 3, 2023
qzhuyan
force-pushed
the
dev/william/tls-root-fun-verify-partial-chain
branch
from
May 3, 2023 13:13
d7fc6db
to
245be16
Compare
zmstone
reviewed
May 4, 2023
zmstone
reviewed
May 4, 2023
qzhuyan
force-pushed
the
dev/william/tls-root-fun-verify-partial-chain
branch
3 times, most recently
from
May 5, 2023 08:49
813ac21
to
57ea9b8
Compare
qzhuyan
commented
May 5, 2023
zmstone
reviewed
May 5, 2023
qzhuyan
force-pushed
the
dev/william/tls-root-fun-verify-partial-chain
branch
from
May 9, 2023 11:10
3d0cc70
to
c881ae1
Compare
qzhuyan
force-pushed
the
dev/william/tls-root-fun-verify-partial-chain
branch
from
May 9, 2023 14:07
7664121
to
8260f89
Compare
The listener could support two versions of CAcerts if partial_chain is set to `two_cacerts_from_cacertfile`
qzhuyan
force-pushed
the
dev/william/tls-root-fun-verify-partial-chain
branch
from
May 9, 2023 15:00
8260f89
to
7894bb0
Compare
zmstone
approved these changes
May 10, 2023
HJianBo
reviewed
May 15, 2023
@@ -7,5 +7,9 @@ | |||
某些动作的参数支持使用占位符语法,来动态的填充字符串的内容,占位符语法的格式为 `${key}`。 | |||
改进前,`${key}` 中的 `key` 只能包含字母、数字和下划线。改进后 `key` 支持任意的 UTF8 字符了。 | |||
|
|||
- 增加了一个新的功能,为TLS监听器启用部分证书链验证[#10553](https://github.com/emqx/emqx/pull/10553)。 | |||
如果 partial_chain 设置为“true”,cacertfile 中的最后一个证书将被视为证书信任链的顶端证书。 也就是说,TLS 握手不需要完整的链,并且 EMQX 不会尝试一直验证链直到根 CA。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
最后一个证书 ->
最后一个或两个证书
HJianBo
reviewed
May 15, 2023
@@ -1646,6 +1646,10 @@ end}. | |||
{datatype, atom} | |||
]}. | |||
|
|||
{mapping, "listener.ssl.$name.partial_chain", "emqx.listeners", [ | |||
{datatype, atom} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{datatype, {enum, [true, two_cacerts_from_cacertfile, cacert_from_cacertfile]}}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes EMQX-9789
Summary
🤖 Generated by Copilot at 76659f4
This pull request adds a new feature to enable partial chain validation for TLS listeners, which can accept client certificates verified by any certificate in the server's CA file. It modifies the
emqx.schema
,emqx_listeners
, andemqx_tls_lib
files to define and implement the feature, and adds a new moduleemqx_const_v2
to create a root_fun function for validation. It also adds a new test suiteemqx_listener_tls_verify_SUITE
and a helper moduleemqx_test_tls_certs_helper
to test the feature with different scenarios and certificates.PR Checklist
Please convert it to a draft if any of the following conditions are not met. Reviewers may skip over until all the items are checked:
changes/{ce,ee}/(feat|perf|fix)-<PR-id>.en.md
files